“Essentially, when you have different teams working on incident detection and response, as well as the inevitable surge in ad hoc personnel, the right collaborative technologies can significantly improve the effectiveness and accuracy of the human factor,” according to a report recently released by the security group of the American semiconductor manufacturing company. “This collaboration could take the form of workflows and data sharing among people— formerly siloed IT and security teams—as well as integration and automation of controls, policies, and processes to improve operational efficiency.”
Top takeaways from the survey were:
- The chief information security officer (CISO) office’s engineers and architects have the dominant responsibility end to end.
- Operational roles are critical for containment and remediation.
- SOC analysts and incident responders play a major role in prevention, not just analysis and closing cases.
- The lion’s share of responsibility across the entire threat management spectrum falls on the shoulders of security engineers and architects within the CISO function, the survey showed.
“These roles function both architecturally and tactically. They work at a strategic, holistic level to find the best tools and techniques for every step of the security operations process with an eye toward achieving the best possible outcomes. On a tactical level, they operate in reactive mode when threats strike and also continually monitor the infrastructure for suspicious even,” the report said.
The second most significant contributor, the SOC analyst, is active in detection, triage, and analysis but often hands off containment and remediation responsibilities to administrative roles, especially network, and endpoint administrators, according to Intel.
This may involve reimaging systems, applying patches and security updates, and other post-infection clean-up activities. This handoff is often necessary for larger organizations, where IT administrators have a better handle on business requirements and asset usage. IT can work closely with the SOC team when an incident arises to determine the best course of action— one that rapidly and effectively addresses a high-severity threat with minimal disruption to business services. This is especially important when it comes to customer-facing e-commerce services or other mission-critical operations.
Like SOC analysts, incident responders can contribute to all parts of threat management but are most deeply involved with detection and prevention. After they discover the nature and trajectory of the threat and inform the SOC team about their findings, they are also tasked with adjusting the security posture. Their job is to prevent recurrences through updated policies or countermeasures and to inform security architects about their findings so that decisions can be made about how to address areas of concern and even consider future security investments.
- Contribute to real-time visibility—connecting people, processes, and technology across events, data, and systems.
- Improve and guide execution through workflows, scripts, automation, and reporting that reduce the effort and error associated with complex processes involving multiple roles at a company.
- Offer a hidden upside opportunity, ensuring that collaboration among tools fosters collaboration among people and help to detect, contain, and remediate more threats faster with less organizational cost.
To facilitate collaboration, many respondents want the ability to conduct certain processes remotely and to automate tasks. Remote containment, mitigation, and remediation are highly valued as part of rapid response across the board, among all geographies.
The top actions that support the security analyst in the SOC doing containment and investigation are network isolation, kill processes, and malware sandbox submissions. Other remote actions are part of rapid remediation by the incident responder or staff involved with operations: restoration of compromised files, system shutdown or reboot, deletion of backdoor accounts, uninstalling software, deletion of files, and clearing browser caches. With a centralized and collaborative system in place, team members are empowered to handle security issues, regardless of where they are physical. When data needs to be investigated by the security operations team but handed off to endpoint and network operations, the shared data sets, commands, and alerts promote accuracy and consistency
“Centralized tools simplify access to and implementation of the right correction. Specifically, centralized tools help more people, including surge resources, get involved in and accurately follow remediation workflows,” according to Torry Campbell, chief technology officer, emerging technologies at Intel Security. “Automation further improves results. SIEM [security information and event management], EDR [endpoint detection and response], and unified policy management systems are all beneficial ways to centralize hunting for incidents and automate approved remediation actions.”
The survey also cast a light on the complexity that siloed security tools create.
Survey respondents, on average, use four different products to investigate and close out an incident. Some companies use as many as 20 per cent of companies indicate they use between six to 15 products to accomplish this activity.
“…multivendor approach to security and implies that the use of multiple management and investigation consoles may slow down results,” according to the report.
Also, data is often transferred manually between tools, which could increase the chances of error or misinterpretation. This, in turn, may lead to several consequences such as the entire incident response process might have to be reworked, or, if the process is not properly vetted, things can slip through the cracks, which could result in threats not being properly dealt with, according to Intel.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…